A default cPanel install will run fine. It also exposes a wide attack surface: WHM ports, mail services, DNS, FTP, and a pile of daemons you may never touch.
This cPanel hardening tutorial focuses on changes you can usually finish in about an hour. The goal is to cut risk without breaking normal customer workflows.
The examples assume a single cPanel/WHM server on AlmaLinux 9/10 or Rocky Linux 9 (typical in 2026), with root access. If you host production client sites, test these changes on a staging server first. Then replicate the final settings.
Prerequisites and a safe rollback plan
Before you change security settings, make sure you can recover quickly if something goes sideways. Stick to two rules: keep a working root shell, and keep a recent backup you’ve verified.
- Confirm console access (IPMI/KVM from your provider, or a rescue console). If SSH is your only entry point, treat firewall changes like live surgery.
- Capture current state so you can diff later:
uname -r
cat /etc/redhat-release
whmapi1 version
ss -lntup | head
iptables -S 2>/dev/null | head
- Take a full backup (accounts + system). If WHM backups are already configured, run one manual cycle and confirm it completes.
If you don’t have cPanel installed yet, start on a clean server.
For predictable performance, a VPS with dedicated CPU/RAM beats oversold environments. A right-sized HostMyCode VPS is a solid baseline.
If you want patching and operational help, managed VPS hosting keeps maintenance from turning into a backlog.
Step 1: Update the OS, cPanel, and enable unattended security updates
Most real compromises still start with old packages. Patch first, then harden. On AlmaLinux/Rocky, use dnf. Let cPanel handle its own updates.
# OS updates
sudo dnf clean all
sudo dnf -y update
sudo reboot
# cPanel updates (run after reboot)
sudo /usr/local/cpanel/scripts/upcp --force
Enable automatic security updates for the OS. Tooling varies, but dnf-automatic is still a straightforward fit for many cPanel servers in 2026.
sudo dnf -y install dnf-automatic
sudo sed -i 's/^apply_updates =.*/apply_updates = yes/' /etc/dnf/automatic.conf
sudo systemctl enable --now dnf-automatic.timer
systemctl status dnf-automatic.timer --no-pager
Also review cPanel’s update settings in WHM: Home → Server Configuration → Update Preferences. For most hosting servers, “RELEASE” is the sane default. Only run earlier tiers with a specific reason.
Step 2: Restrict WHM and cPanel access (ports, IP allowlists, and login limits)
WHM’s default ports (2087 for HTTPS, 2086 for HTTP) get scanned constantly. You can’t make them invisible. You can make them difficult to reach and expensive to attack.
2.1 Disable non-TLS access to WHM and cPanel
In WHM, open Service Configuration → cPanel Web Services Configuration. Turn off non-SSL services unless you have a strict requirement.
- Disable cPanel Service (cpsrvd) over HTTP (port 2082/2086 equivalents).
- Force redirects to HTTPS.
Then verify port 2086 isn’t reachable externally.
curl -I http://YOUR_SERVER_IP:2086/ 2>/dev/null | head2.2 Add an IP allowlist for WHM (recommended)
If you manage WHM from a stable office/VPN IP, put it on an allowlist. It’s one of the fastest ways to reduce brute-force noise.
Option A (simple): use your firewall to allow 2087 only from admin IPs (covered in the firewall step).
Option B (cPanel layer): use WHM → Security Center → Host Access Control to restrict key services.
Start conservative. A strict rule can lock you out the moment your IP changes.
2.3 Reduce password attack surface
In WHM → Security Center, review these items first:
- cPHulk Brute Force Protection: enable it, use a lower threshold for WHM/root-related services, and whitelist your admin IPs.
- Two-Factor Authentication: require it for WHM administrators and resellers.
- Password Strength Configuration: set a higher minimum for resellers and mail accounts than your customers would choose on their own.
If you want a deeper SSH baseline that pairs cleanly with WHM security, follow HostMyCode’s SSH lockdown tutorial. Come back after you’ve verified key-based access works.
Step 3: Secure SSH the cPanel-friendly way (no surprises for backups and admins)
On cPanel servers, SSH is still a common entry point for attackers. The goal is simple: keys only, no direct root login, and a predictable path for admins and automation.
3.1 Switch to key-based auth and disable password auth
Edit /etc/ssh/sshd_config. Or use a drop-in under /etc/ssh/sshd_config.d/ if your distro prefers it.
These settings keep SSH strict without fighting cPanel.
# /etc/ssh/sshd_config.d/99-hardening.conf
PermitRootLogin no
PasswordAuthentication no
KbdInteractiveAuthentication no
PubkeyAuthentication yes
AllowUsers youradminuser
Reload SSH, and keep an existing session open while you test a fresh login in a new terminal.
sudo sshd -t && sudo systemctl reload sshd3.2 Put admin SSH on a dedicated user with sudo
sudo useradd -m -s /bin/bash youradminuser
sudo usermod -aG wheel youradminuser
sudo mkdir -p /home/youradminuser/.ssh
sudo chmod 700 /home/youradminuser/.ssh
sudo tee /home/youradminuser/.ssh/authorized_keys >/dev/null < ~/.ssh/id_ed25519.pub
sudo chmod 600 /home/youradminuser/.ssh/authorized_keys
sudo chown -R youradminuser:youradminuser /home/youradminuser/.ssh
Many teams add an IP allowlist and Fail2Ban next. If your server is public-facing, HostMyCode’s Fail2Ban setup tutorial is a solid pattern to adapt.
The approach is the same on AlmaLinux/Rocky, but package names and paths may differ.
Step 4: Firewall hardening for cPanel/WHM (only open what you sell)
Every open port becomes both a security exposure and a support obligation. Hosting servers do need more ports than a single web app.
You still decide which ones earn their place.
4.1 Decide what services you actually provide
Use this checklist to match ports to services. If you don’t provide a service, close its ports and disable the daemon.
- Web: 80, 443
- WHM/cPanel: 2087 (WHM HTTPS), 2083 (cPanel HTTPS)
- SSH: 22 (or your custom port)
- Mail (if hosting email): 25, 465, 587, 110, 995, 143, 993
- DNS (if authoritative): 53 TCP/UDP
- FTP (avoid if you can): 21 + passive range (prefer SFTP instead)
4.2 Apply a production ruleset
Many cPanel servers use CSF (ConfigServer Firewall). If you already rely on CSF, manage ports there.
If you prefer your own baseline, iptables/nftables rules can work well. Test carefully, and keep console access available.
For a clear hosting-oriented approach, use HostMyCode’s IPTables firewall tutorial as the blueprint. Then add the cPanel-specific ports listed above.
Example: allow WHM only from an admin IP (conceptual rule; implement using your firewall tool):
# Allow WHM only from your office/VPN IP
# TCP 2087 from 203.0.113.10 only
-A INPUT -p tcp -s 203.0.113.10 --dport 2087 -j ACCEPT
-A INPUT -p tcp --dport 2087 -j DROP
Apply the same idea to SSH if your admin IPs are stable. In practice, you’ll see the scan noise drop within minutes.
4.3 Don’t forget outbound controls (simple version)
If you host email, you need outbound TCP 25/465/587. If you don’t, blocking outbound 25 can stop a compromised PHP site from blasting spam.
Make this a conscious choice, document it, and test it.
Step 5: Harden TLS for WHM, cPanel, web, and mail
TLS on a cPanel box is spread across multiple endpoints: cpsrvd (WHM/cPanel), Apache or LiteSpeed, Exim, Dovecot, and sometimes Pure-FTPd.
Aim for consistent certificates and modern protocols across all of them.
5.1 Use AutoSSL and confirm renewals
In WHM: SSL/TLS → Manage AutoSSL. Use the cPanel provider or Let’s Encrypt (depending on your license and policy). Enable AutoSSL for all cPanel services.
Then do a quick CLI check:
# Check certificate expiry for WHM (2087) quickly
echo | openssl s_client -connect YOUR_HOSTNAME:2087 -servername YOUR_HOSTNAME 2>/dev/null | openssl x509 -noout -dates5.2 Disable legacy protocols where possible
In 2026, most hosting environments can run TLS 1.2 and TLS 1.3 only. The exact toggles vary by service.
WHM exposes much of it here:
- WHM → Service Configuration → cPanel Web Services Configuration
- WHM → Service Configuration → Exim Configuration Manager
- WHM → Service Configuration → Mailserver Configuration (Dovecot settings)
If you run Nginx as a reverse proxy in front of Apache/LiteSpeed, keep edge TLS tight as well. This pairs naturally with modern transport features.
See HostMyCode’s HTTP/2 and HTTP/3 setup guide if you maintain an Nginx layer.
Step 6: Disable and remove services you don’t need (FTP, unused DNS, weak auth paths)
Hardening isn’t only about adding controls. You also want fewer moving parts, fewer exposed daemons, and fewer legacy paths.
6.1 Prefer SFTP over FTP
If you don’t have legacy clients that truly need FTP, disable it. In WHM:
- Service Configuration → FTP Server Selection: pick “Disabled”.
- Remove passive FTP port ranges from your firewall rules.
If you must keep FTP, enforce TLS (FTPS), use strong ciphers, and keep the passive port range as small as possible.
6.2 DNS: run it only if you’re authoritative
If DNS is handled elsewhere (an external DNS provider, or a separate cluster), disable local named/powerdns and close port 53.
If you do host DNS on this box, plan to split DNS to separate servers later. It’s one of the cleanest ways to reduce blast radius.
6.3 Turn off demo and legacy features
- Disable “Shell access” for regular cPanel users unless you sell it as a feature.
- Disable WebDisk if your customers don’t use it.
- Disable “Digest Authentication” if still enabled anywhere.
The target state is boring: fewer entry points, fewer support tickets, and fewer surprise dependencies.
Step 7: Tighten cPanel account and reseller permissions
On many servers, the biggest day-to-day risk isn’t root. It’s a reseller with unnecessary privileges. Or it’s a compromised cPanel account with shell access and sloppy permissions.
7.1 Review reseller privileges
In WHM: Resellers → Reseller Center. Audit each reseller:
- Remove “All Features” packages. Assign only what they actually sell.
- Avoid granting “Edit DNS Zone” unless the reseller is trained and accountable.
- Restrict “Account Creation Limits” to realistic numbers.
7.2 Enforce safe defaults for PHP and file permissions
Make sure PHP runs with account isolation (such as PHP-FPM per user, or a suPHP-style model depending on your stack). The point is containment.
One compromised WordPress site shouldn’t become a server-wide incident.
Quick check: confirm you don’t have world-writable files and directories under customer homes.
# Find world-writable files under home directories (should be near zero)
find /home -xdev -type f -perm -0002 -print | head
# Find world-writable directories
find /home -xdev -type d -perm -0002 -print | headStep 8: Add basic intrusion detection signals (without drowning in alerts)
You don’t need a full SOC to get value from monitoring. You do need a few reliable signals: login failures, unexpected restarts, disk pressure, and outbound email spikes.
8.1 Turn on useful audit logging
At minimum, keep:
- SSH auth logs (systemd journal or
/var/log/secure) - Exim mainlog/rejectlog if you host mail
- Apache/LiteSpeed access/error logs
- cPanel access logs (cpsrvd)
Then add simple thresholds for disk usage and load.
If you want a lightweight approach to alerts and graphs, follow the HostMyCode VPS monitoring tutorial. Adapt those checks to your cPanel server.
8.2 Watch outbound email volume (even if you don’t “host email”)
Compromised PHP sites often send mail through local Exim. Even if you don’t provide mailboxes, you still need a plan for outbound mail.
Either control it tightly, or route it through a dedicated relay.
If you do run mail, keep deliverability healthy with correct DNS. HostMyCode has hands-on guides for SPF/DKIM/DMARC and reverse DNS (rDNS).
Step 9: Backups that survive a bad day (and a restore test that proves it)
Even a hardened server fails. Disks die. Accounts get deleted. People make mistakes.
Your backup plan should assume the server will be unavailable when you need it most.
9.1 Configure off-server backups
In WHM: Backup → Backup Configuration:
- Enable backups, pick a schedule (daily incrementals + weekly full is common).
- Use remote storage (SFTP, rsync, object storage gateway) so the backup isn’t lost with the server.
- Keep at least 14–30 days if disk allows, longer for business-critical clients.
If you want a detailed WHM walkthrough, including restore testing, use HostMyCode’s cPanel backup tutorial as your reference. Align retention to your SLA.
9.2 Do a real restore test (not just “backup completed”)
Create a throwaway cPanel account. Add a file, a database, and a mailbox. Then restore it to a separate server or a separate account name.
Confirm:
- Website loads over HTTPS
- Database credentials work
- Mailbox can authenticate and send/receive
This is where you find out if remote storage credentials, firewall rules, and quotas are actually correct.
Step 10: Quick verification checklist (15 minutes)
Once you’ve tightened things up, verify from both outside and inside the server. This is how you catch lockouts and “we accidentally broke mail” issues while they’re still easy to undo.
- Ports: run a scan from a separate machine (or an online scanner you trust). Only expected ports should answer.
- WHM: confirm HTTPS-only access and 2FA for admins.
- SSH: confirm keys-only access and root login disabled.
- Mail (if used): confirm submission (587) works and rDNS/SPF/DKIM/DMARC are valid.
- Backups: confirm fresh backups land in remote storage and don’t fail quietly.
# Local port inventory (useful before/after snapshot)
ss -lntup
# Verify SSH doesn’t allow passwords
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no youradminuser@YOUR_HOSTNAME
Common pitfalls that break hosting servers
- Locking down the firewall before confirming console access. Keep a fallback path, every time.
- Blocking WHM/cPanel ports for customer IPs by accident. Restrict WHM (admin), not cPanel (customers), unless you have a portal/VPN plan.
- Disabling DNS on a server that still hosts zones. Confirm where authoritative DNS lives before you close port 53.
- Turning off outbound SMTP without a mail relay plan. If apps send mail, define the route first.
Summary: your hardened baseline for 2026 cPanel hosting
This guide covered changes that reduce risk quickly: patching, HTTPS-only access, SSH keys, a tighter firewall, fewer exposed services, and backups you can actually restore.
If you only do three things, make them these: disable password SSH, restrict WHM to admin IPs, and validate off-server backups with a real restore test.
If you’re building a new cPanel server or migrating clients onto a cleaner baseline, start with infrastructure that gives you headroom and predictable I/O. A well-sized HostMyCode VPS works for most small-to-mid hosting setups.
HostMyCode dedicated servers make sense once you’re consolidating many accounts or pushing higher mail volume.
If you want a cPanel-ready server that stays stable under real hosting workloads, run it on HostMyCode VPS with dedicated resources and clean networking. If you’d rather not spend weekends on updates, firewall tuning, and backup verification, managed VPS hosting is a practical way to keep the server secure and the client sites online.
FAQ
Should you change the default WHM/cPanel ports?
Port changes rarely stop targeted attacks, and they add support friction. You’ll usually get better results by restricting 2087 to admin IPs and enforcing 2FA.
Is CSF required for cPanel hardening?
No, but it’s popular because it fits common cPanel workflows. Any correctly configured firewall works. What matters is opening only required ports and logging drops in a way you can actually review.
Will disabling FTP break WordPress workflows?
Usually not. Most teams use SFTP or SSH-based deployment. If a plugin or legacy tool requires FTP, keep it but enforce FTPS and a strict passive range.
What’s the quickest way to reduce brute-force attempts?
Restrict WHM to admin IPs, enable cPHulk, require 2FA for WHM users, and disable password SSH. Those four changes remove the easiest wins for attackers.
How often should you test restores?
At least quarterly for stable environments, and after any major change (new remote storage, new backup schedule, OS upgrade). A backup you haven’t restored is a hope, not a plan.